All Department of Defense (DoD) contractors must comply with the mandates of the Defense Federal Acquisition Regulations (DFARS). The DFARS now have added requirements for companies to safeguard DoD information and put in place new incident response procedures.
The most important points:
- Although security and use of technology is touched on in many areas of the DFARS, the most significant changes are know as DFARS Part 252.204-7012. Most in the industry call the new changes “7012 Compliance”.
- The acronym CDI stands for Covered Defense Information. CDI is any information that is provided to the contractor by or on behalf of DOD in connection with the contract. It is also any information collected, developed, received or transmitted by the contractor in performance of the contract.
- Contractors must full understand what CDI they create, process, store or transmit. CDI must be protected with adequate security controls, which are going to be as strong or stronger as those reflected in NIST Special Publication 800-171.
- Contractors must also be able to detect unauthorized access of CDI and have an incident response plan that complies with the DFARS guidance, including reporting requirements.
- The cost of compliance is considered an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS).
Compliance is made much easier if you put a trusted advisor on your side. Crucial Point offers a scalable advisory model we can CTO-as-a-Service that can assist you in compliance fast. Contact us for a free consultation.